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^ ! Abstract 

- We present a polynomial quantum algorithm for the Abelian stabilizer problem which 

includes both factoring and the discrete logarithm. Thus we extend famous Shor's re- 
I suits Our method is based on a procedure for measuring an eigenvalue of a unitary 

operator. Another application of this procedure is a polynomial quantum Fourier trans- 
form algorithm for an arbitrary finite Abelian group. The paper also contains a rather 
detailed introduction to the theory of quantum computation. 



^ . 

Introduction 

It has been known for long time that all "reasonable" computation models are equivalent. 
^ I Moreover, every universal machine A can simulate any other machine B with at most polyno- 
I mial slowdown. For instance, a computation, which takes time t on a random access memory 
(RAM) machine, can be done in time O(t^) on a Turing machine. (The slowdown is nonlinear 
because the Turing machine has to scroll its tape to access a distant memory cell). In view of 
this equivalence, theoretical computer scientists classify algorithms as polynomial^ and super- 
polynomial, the former being considered efficient, the latter inefficient. A polynomial algorithm 
remains polynomial when adapted to another machine model. 

Many physical phenomena can be simulated on a computer in polynomial time, although it is 
sometimes impracticable because of the great number of particles involved. However, simulation 
of quantum mechanics may be computationally expensive even with few particles. Consider a 
system with 2 states. If we take n copies of this system we will get a new system with 2" states. 
Its quantum evolution (for a given time interval) is characterized by a unitary matrix of size 
2?! ^ 2"'. Unless one invents a more intelligent method, simulation of the evolution amounts 

^ An algorithm (for a given problem and a given machine model) is called polynomial if the number of steps 
of the algorithm grows not faster than some power of the size of the input. 
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to multiplication of evolution matrices corresponding to very short time intervals. It takes 
exponential time to compute one separate item of the product. (However, such computation 
can be done with polynomial memory). 

But if quantum mechanics is really difficult to simulate, a quantum computer should be 
more powerful than the classical one. How to know it for certain? A quantum computer is still 
an imaginary device which has not been constructed yet. Not thinking about technology, there 
are 3 fundamental questions to be answered. 

1. Is there any simple and universal model of quantum computation? 

2. Can a quantum computer solve a computational problem which is known to be hard for 
a classical computer? 

3. As far as the group of unitary transformations U(2") is continuous: To what extent is 
quantum computation sensitive to perturbation? And is it possible to organize computa- 
tion so that a moderate perturbation would not affect the result? 

Quantum devices for doing classical computation were suggested by Benioff Peres [§] and 
Feynmann [Q. Deutsch ^ was the first to give an explicit model of quantum computation. 
He defined both quantum Turing machines and quantum circuits. Yao [H showed that these 
two models are equivalent. More specifically, quantum Turing machines can simulate, and be 
simulated by, uniform families of polynomial size quantum circuits, with at most polynomial 
slowdown. Quantum circuits are generally more convenient for developing quantum algorithms. 

Quantum circuits are rather generic quantum systems which can simulate other quantum 
systems. We have seen that such simulation may be problematic with a classical computer, so 
the answer to the second question is probably "yes". However, we do not know whether simulat- 
ing quantum mechanics on a classical computer is really hard. In fact, if no efficient algorithm 
is known for a problem, it doesn't mean that such an algorithm doesn't exist. Unfortunately, no 
reasonable computational problem has been proven to be hard yet. So it is interesting to find 
efficient quantum algorithms for problems which are considered as hard by computer science 
experts. The most remarkable result of this type has been obtained by Shor who invented 
polynomial quantum algorithms for the discrete logarithm and factoring of integers. However, 
it is not clear yet whether a polynomial quantum algorithm exists for an NP-complete problem. 

In order to obtain a correct result under perturbation, every step of the computation must 
be done with precision c (number of steps)"^ (the constant c depends on the allowed error 
probability, see Sec. |2.4|) . Thus the number of precision bits, needed to specify each elementary 
quantum operator (gate), is logarithmic [§. This precision requirement is rather weak, which 
gives hope that quantum computation can be done by a physical device. Note that exponential 
precision (i.e. polynomial number of precision bits) is almost certainly infeasible; fortunately, 
it is not needed for quantum computation. However, even polynomial precision may prove to 
be impractical. A fully satisfactory solution would be to do arbitrarily long computation with 
fixed gate precision, by use of some error correction procedure. Alternatively, one should ensure 
high precision by some physical mechanism beyond the formal computation model. Precision 
still remains the most important problem in the field of quantum computation. 

In this paper we suggest a polynomial quantum algorithm for a so-called Abelian Stabilizer 
Problem (ASP) which includes both factoring and the discrete logarithm. Thus we reproduce 
Shor's result by a different method. Another special case of the ASP was studied by Grigoriev 
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in connection with the shift equivalence problem for poljTiomials. The ASP should have some 
applications to computational problems in number theory and algebraic geometry, but this 
topic needs a separate study. 

The key point of our solution is a concept of quantum measurement. We also use a gen- 
eralization of Simon's procedure ||10| for finding a certain group of characters. In Sec. ^ we 



demonstrate a more subtle use of quantum measurements by describing a polynomial algo- 
rithm for the Quantum Fourier Transform (QFT) on an arbitrary finite Abelian group. This 
doesn't solve any classical computational problem because the QFT is defined in terms of 
quantum mechanics. However, the construction itself may be interesting. Polynomial QFT al- 

2" |T2[ or g is a smooth number. 



gorithms were known for groups (Z2) |]rT| and Z^, where q 
i.e. contains no prime power factor larger than (logg)'^ 0. 



1 The Abelian Stabilizer Problem 

Let G be a group acting on a finite set M. Suppose that this action and the group operations 
in G can be computed easily. Compute the stabilizer of a given element a G M. This problem 
(still to be formulated in a more rigorous language) includes many interesting cases, e.g. graph 
isomorphism. Unfortunately, we are not able now to treat the problem in its generality. Rather, 
we will assume that the group G is Abelian. As far as any finitely generated Abelian group is 
a homomorphic image of Z'^, we may set w. 1. o. g. G = Z^.f\ We will also assume that the set 
M can be identified, by some one-to-one coding, with a subset of a Boolean cube B" = {0, 1}". 
(Our algorithm does not work if each element of M have many representations in B", even if the 
equivalence of these representations can be checked by an efficient procedure). This restricted 
problem is called the Abelian Stabilizer Problem (ASP). We proceed with an exact definition. 
An ASP (more exactly, an instance of the ASP) consists of the following items: 

• Two positive integers k and n. The pair {k, n) is called the size of the problem. 

• An element a G B"-. 

• A function F : Z'' x M ^ M (a G M C B"), such that 

F{0,x) = X F{g + h,x) = F{g,F{h,x)) for any g.heZ'', xGM 

The function F should be regarded as a blackbox subroutine which receives an input {g, x) G 
2^ ^ gn produces an output y G B", so that y = F{g,x) for every g G Z'^, x G M. 
(If X ^ M, the subroutine may fail or give an arbitrary result. We do not assume that the 
condition x G M is checkable). This subroutine F can be invoked by a quantum computer in 
the way precisely defined in Sec. 0. 

Remark. In all reasonable applications (see examples below) the function F can be computed 
in polynomial time. A quantum computer can do this job itself, so there is no need to use a 
blackbox subroutine in this case. Let us describe this situation more exactly. Denote by size{g) 
the number of bits needed to represent an element g E Z'^ (in a reasonable coding) .0 Let poly 

^ For the group G = (Zip)'', Grigoriev |^ designed a quantum algorithm which was polynomial in k and p 
(but not in logp). 

In different reasonable codings size{g) may differ at most by a constant factor. 
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stand for any function that grows not faster than a polynomial, i.e. poly{x) = x'^^^\ Suppose 
that the subroutine F is a classical or even quantum machine (see Sec. |^ for explicit models) 
which computes F{g,x) in time poly{size{g) + n) at most. With a fixed function poly, this 
defines a restricted class of ASPs. In this case we will get a polynomial quantum algorithm 
which uses a description of the machine F rather than invokes it as a subroutine. 

The stabilizer of a with respect to F is the set Sti;'(a) = {g E Z'' : F{g,a) = a}. This 
is a subgroup in of index < \M\ < 2". Hence Sti;'(a) is isomorphic to Z^ and has a basis 
((yfi, . . . , ^ffc) of polynomial size, meaning that size{gj) < poly{n + k). Any such basis 
is acceptable as a solution of the ASP. There is an efficient procedure which checks whether 
{gi, . . . , gk) and {g[, . . . , g'^.) represent the same subgroup in Z^ . Given a subgroup A C Z'^ of 
rank k represented by a polynomial size basis, one can compute (by a very simple polynomial 
algorithm) a unique canonical basis {hi, . . . ,hk)- This basis is given by the columns of the 
matrix {rriij, i, j = 1, . . . , k) uniquely characterized by the conditions 

rriij =0 if i > j 

mu > (1) 
< rriij < iTT-ii if "i < j 

Thus finding an arbitrary polynomial size basis for the stabilizer is equivalent to finding the 
canonical one. 

Factoring and the discrete logarithm can be reduced to the ASP. Let M be the ring of 
integers modulo q, G the group of invertible elements of M. li gi, . . . , g^ E G then Fg^^^^^^g^ : 
(mi, . . . , rrtfc, x) ^ g^^ , . . . , g^'^x {rrii G Z, x G M) is an action of Z^ on M. Consider two 



cases. 



Factoring. The stabilizer of 1 with respect to Fg gives the order of an element g in the 
group G. There is a randomized reduction from factoring to the order of an element []T3|. 
(A sketch of this reduction can be found in Shor's paper [0). 

Discrete logarithm. Let g be a prime, C, & G = Zq_i a primitive element, g E G 
an arbitrary element. The stabilizer of 1 with respect to F^^g is P = {{m,r) G Z^ : 
^m^r = 1}. Given a basis of the subgroup P C Z^, we can find an element of the form 
(m, -1) G P. Then = g. 



2 Computation models 

This section is intended mostly for a reader not familiar with the subject. We define the models 
usually used in the field of quantum computation. A more experienced reader should just pay 
attention to a few non-common terms and notations. 

In Sec. |2.1| we define Boolean circuits and operation sequences. These two models are 



trivially equivalent. The language of operation sequences is not quite common but we find 
it convenient. It is closer to an intuitive model of computation and allow simpler notations. 
(Circuits can be nicely represented by diagrams, but we do not use diagrams in this paper). 
We also briefiy discuss the concept of uniformity. 

In Sec. ^]2| we overview the concept of reversible computation introduced by Lecerf and 
Bennett |]15[. This is an important link between the standard models (e.g. Boolean circuits) 
and quantum computation. The results of this section have quantum analogues (see Sec. |^). 
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In Sec. 
In Sec. 



O] we summarize the basic concepts and notations of quantum mechanics. 

2^ we give a formal model of quantum computation and discuss its basic properties. 



2.1 Boolean circuits and operation sequences 

From now on, we often use functions of type / : B"- B™. We write n = S{f), m = p{f). 

Let i3 be a set of such functions to be used as elementary blocks for building more compli- 
cated functions. The set B is called a basis] its elements are called gates. Usually one uses the 
standard basis C = A} (negation and the "and" function). This basis is complete, that is 
any Boolean function can be represented as a composition of the basis elements. 

Let F : B" —>■ B™ be an arbitrary function. A Boolean circuit for F is a procedure which 
converts an input x G B" to the output y = F{x) E B™ working with auxiliary Boolean 
variables zi, . . . ,zk according to the following instructions: 

1. Copy X to {zi,...,Zn). 

2. Compute Zn+i, ■ ■ ■ ,zk in sequel, using some gates fi E B {i = 1, . . . , L) and variables 
already computed. More specifically. 



where ki = n, fcj+i = ki + p{fi). 
3. Read y from . . . , zp^rn))- 

Thus a Boolean circuit is defined by the sequence of functions /i, . . . , /l G i3 and the numbers 
a{i,j), I3{j). The number L is called the size of the circuit. For more generality, we may 
assume F to be a partial function B" B™, that is a function N B"^, where C B". In 
this case the output y must coincide with F{x) for every x E N. 

Circuits and algorithms. A Boolean circuit can only work with inputs of fixed size. How- 
ever, computation problems are usually defined for inputs of variable size — consider, for 
example, the number addition problem (x, x') \—>-x + x'. Any reasonable computational prob- 
lem can be represented by a family of functions F|s : B** ^ 'Qpoiyis)^ each corresponding to a 
particular input size s. One needs a separate Boolean circuit for each F\s. If a polynomial 
algorithm exists for F then each function F\s can be computed by a circuit J^s of size poly{s). 
In fact, a computer (e.g. a Turing machine), working in space x time < t xt, can be simulated 
by a Boolean circuit of size O(t^). 

However, the existence of a polynomial size circuit J-'g for each F\s does not necessarily 
imply that the total function F can be efficiently computed. For this, one must be able to 
construct the circuits jFg efficiently. More exactly, the function s ^ J-'s must be computable on 
a Turing machine in polynomial time. A family of circuits {J-'s), which satisfies this condition, 
is called uniform. Thus the machine produces a circuit, and the circuit computes the function. 

This two-level construction is especially good for defining non-standard computation models, 
including quantum computation. In Sec. ^]4| we will define some theoretical quantum devices 
which can compute Boolean functions. Although these devices operate in a quantum way, they 
allow classical description, i.e. each particular device can be represented by a binary word. By 
a quantum algorithm for a problem F we will mean a classical algorithm which constructs a 
quantum device $s for each function F\s. 
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In a Boolean circuit the value of each variables Zi is computed only once. However, in real 
computers memory cells can be reused to operate with new information. At each step the 
computer does some operation with a few memory cells. Let us give a simple model of such 
computation. 

Denote by A = {1, ... , K} the memory to be used in computation. Each memory element 
(bit) z G A represents a Boolean variable Zi. Any ordered collection of bits is called a register. 
Associated with a register A = {Ai, . . . , An) is the variable za = {z^-^, . . . , za„) taking values 
from B". (Here Ai G A and Ai ^ Aj ii i ^ j). Given a Boolean operator g : B" — B", we 
can define its action g[A] : za ^— > g{zA) on the set of states of the register A. (By a Boolean 
operator we mean an arbitrary mapping of a Boolean cube into itself). We may regard g[A] as 
an operator on the total set of memory states, T = B^. 

Now take some set (basis) B of Boolean operators. Operators of the form g[A] [g G B) will 
be called operations. The new model is a procedure of the following type: 

1. Place the input into some register X. Set all the other bits equal to 0. 

2. Do some operations fi'ifAi], . . . {gi G B) one by one. 

3. Read the output from some register Y. 

A Boolean circuit may be considered as the sequence of operators 

9i ■ . . . , us(f^), f 1, . . . , Vp(f,^)) ^ . . . , us(f^), fi{ui, us(f^))) (3) 

applied to the registers A^ = (^a{i, 1), . . . , a{i, 6{fi)), + 1, . . . , ki + p{fi)^. On the other hand, 
any sequence of L operation can be simulated by a Boolean circuit of size L — one should just 
reserve a separate variable for each new Boolean value that appears during computation. So 
these two models are equivalent. 

2.2 Reversible computation 

The models defined above, as well as operation of a real computer, are not reversible. In fact, 
even erasing a bit (i.e. setting it equal to 0) is not reversible. However, the laws of quantum 
mechanics are reversible, since the inverse of a unitary matrix exists and is also a unitary matrix. 
So, before passing on to quantum computation, one must be able to do classical computation 
reversibly. 

Of course, reversible computation must use only bijective gates gi : B" — > B", i.e. permuta- 
tion on Boolean cubes. A simple but important example is the bijective operator r„ : {u, v) h-* 
(u, V Q) u) on B^", where "©" stands for the bitwise addition modulo 2. (Obviously, applying 
r„ is the same as to apply the operator r = ri to each pair of bits). The operator r„ allows 
to copy the content of one register into another, provided the second register is empty. For a 
more general example, consider an arbitrary function F : N ^ B™ (A^ C B"), then 

: N xB"" N xB"" : {u,v) ^ {u, v ® F{u)) (4) 

is a bijection. It is quite clear now how to simulate a Boolean circuit by a sequence of bijective 
operations. Instead of the operators (|^) one should take the operators (/i)r- The result will 
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be the same because v — {vi, . . . , Vp^f^)) = {zk^+i, ■ ■ ■ , Zki+p(f^)) is zero before the operator {fi)r 
is apphed. 

Formally, this observation is enough to proceed with quantum compTitation. However, the 
above computation with bijective gates is not truly reversible. In fact, besides the output it pro- 
duces some "garbage" , i.e. extra information which have to be forgotten after the computation 
is finished. Without this garbage the computer cannot run back from the output to the input. 
We will see that garbage does not allow to use the result of a computation in an essentially 
quantum way. It is worth noting that a real computer also produces some sort of garbage, 
namely heat. (Actually, the existing computers produce much more heat than necessary). It is 
rather surprising that the garbage in our model can be avoided. 

First of all, we are to give an exact definition of computation without garbage, usually 
called reversible computation. In what follows we assume the memory A to be the union of two 
disjoint registers, an input-output register X and an auxiliary register W. Thus a state of the 
memory is denoted as {x,w), where x e B"^, w e B^. 

Definition 1 Let G : N ^ M (N, M C B"j be an arbitrary bijection. A sequence of bijective 
operations gi[Ai] (i = 1,...,L) is said to represent G, or compute G reversibly, if their 
composition A'lI^l] o . . .o g\[Ai\ maps (x, 0) to {G{x), 0) for every x & N. 

Lemma 1 Suppose that a function F : N ^ B™ (NO B"^ is computable in a basis B by a 
Boolean circuit of size L. Then can be represented in the basis Br = {/r : / G i3} U {r} by 
an operation sequence of length 2L + m. 

Proof. The Boolean circuit can be simulated by a sequence of L operations from the basis Br- 
We may assume that this simulation uses registers U, W and Y for input, intermediate results 
and output, respectively, where U (IW — $ and Y C U\JW. The total effect of the simulation 

can be represented by an operator G = G[U, W]. Let V he a new register of size m. Then 
X = U U V can be used as an input-output register for reversible computation of the function 
Fr- We can denote a memory state as {u, v, w), where u, v and w stand for the contents of U, 
V, and W, respectively. The needed reversible computation is given by the operator 

{G[U, W])-^ o Tm[Y, V] o G[U, W] : {u, v, 0) ^ {u, v ® F{u), 0) {u e N, v e B™) 

Indeed, the operator G[C/, 1^] computes F{x), the operator rm[l^, V^] adds it to v modulo 2, 
and {G[U, W])~^ removes the garbage, that is makes w equal to 0. □ 

Lemma 2 Let G : N ^ M (N, M C B"^ be a bijection. Suppose that G and G^^ are 
computable in a basis B by Boolean circuits of size L and L' , respectively. Then G can be 
represented in the basis Br by an operation sequence of length 2L + 2L' + 4n. 

Proof. Let X be the input-output register, Y an auxiliary register of the same size n. We 
should add also another auxiliary register W to be used implicitly in the reversible subroutines 
Gr and {G~^)r. By the previous lemma, these subroutines need 2L + n and 2L' + n operations, 
respectively. The required computation is given by the operator 

r„[X,F] o r„[F,X] o {G-\[Y,X] o Gr[X,Y] 

Indeed, (x, 0) ^ {x,G{x)) ^ {0,G{x)) ^ {G{x),G{x)) ^ {G{x),Q). □ 
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Corollaries. 

1. Any permutation of n bits can be done by 4n operations r. 

2. The basis Cr is complete for reversible computation. 

The gate -i^ G C-r may be replaced with -i. Thus we get another complete basis TZ = 
{-1, r, At}. We will always use this basis unless we speak about so-called relative computation, 
that is computation with a blackbox subroutine. 

Definition 2 Let F : B" — > B™ be an arbitrary function, possibly partial. Reversible compu- 
tation in the basis IZ U {-FV} is called reversible computation with subroutine F . 

This definition is natural due to Lemma [l|. Actually, we will need only one particular case of a 
blackbox subroutine. 

Let F : Z*^ X M ^ B" be the function from the definition of an ASP. It is not a Boolean 
function, so the above definition should be modified. Let 

Z^^ = {gdZ^ : size{g), size{-g) < s) (5) 

We can identify with a certain subset of B*. Denote by -F|s+n the restriction of F to 
Z^ X M . By computation with the subroutine F we will mean computation with -F|s+n; where 
s = poly{k + n). Our quantum algorithm will use the following bijection 

G: Z'^xM ^ Z'^xM : {g,x) ^ {g,F{g,x)) (6) 

Note that : {g,x) i— >• {g, F{—g,x)). The function G\s+n, the restriction of G, may be 
considered as a partial bijective operator on B** x B". By Lemma 0, this function can be easily 
computed with the subroutine F\s^n- 

2.3 The quantum formalism 

In this subsection we remind the reader the quantum formalism for a system with a finite set 
of states r. In the computation-theoretic context, F = B^ is the set of states of a computer 
memory A. 

A quantum state is characterized by a unit vector \ifj) in the complex space C(r) = C'" 
equipped with a Hermitian scalar product (-I-). To be exact, the term "quantum state" is 
usually used to denote a one-dimensional subspace of C(r), i.e. a unit vector up to a phase 
factor e**^. Q Corresponding to the classical states a G F are the standard vectors \a) G C(F) 
which form an orthonormal basis of C(F). Time evolution of a quantum system is given by 
a transformation of the form lip) i-^ U\ip), where f/ is a unitary operator. Any bijection 
G : F — >• F may be regarded as a unitary operator acting by the rule G\a) = \G{a)). Such 
operators are called classical. 

Elements of C(F) are usually denoted like |^), even if the symbol in the brackets is never 
used alone. The scalar product of two vectors |^), \ri) G C(F) is denoted by {C,\ri). Thus (^| 

The gate r can be represented in terms of A,- and ^, so it is not necessary. 
^ This definition is motivated by the fact that the probabihty (|^) is invariant under the transformation 
lip) 1-^ e^'^ltp), so the phase factor may be neglected in many cases. 
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stands for the linear functional \ri) {C,\i]) on C(r). The space of such functionals is denoted 
by C(r)*. If \0 = J2j£r then {^\ = J2jer In the coordinate representation 

( c, \ 

If 1^), |?7) G C(r) then |^)(?7| is an element of C(r) C(r)* and thus may be considered as a 
linear operator on C(r). The result of the application of a linear operator A : C(r) C(r) 
to a vector |.^) is denoted by A\^) = \A^). Thus 

where A'' is the operator adjoint to A. 

The algebra of linear operators C(r) — > C(r) is denoted by L(r), while U(r) denotes the 
group of unitary operators. 

Let n_A4|^) denote the orthogonal projection of a vector |^) onto a linear subspace A4 C 
C(r). The projection operator can be represented as Ylj=i\ej) {ej\, where (|ej), j = 
1, . . . ,k) is an arbitrary orthonormal basis of Ai. 

Two things are most important in the quantum formalism: the probabilistic interpretation 
of quantum mechanics and the relation between a system and its subsystems. From the mathe- 
matical point of view, the probabilistic interpretation is just a definition of some function called 
"probability". After the definition is given, one can check that this function does have some 
basic properties of classical probability. Here we just give the definition. The analogy with the 
classical case will be fully developed in the Sec. ^ where we introduce conditional probabilities. 

The classical probability M) = /i(M) = J^j&m /^(j) is a function of two arguments: a 
probability measure on F and a subset M C F. (As far as the set F is finite, a probability 
measure is simply a positive function /i : F — ^ R, such that Z^jer/^O) = Correspondingly, 
the quantum probability depends on a quantum state |^) and a linear subspace Ai C C(F) 

p(e,-M) = mM\o (7) 

This quantity can be also represented as Tr(pn_A4), where p = |^)(^| is the density operator 
associated with the state |^). In a more general setting, a density operator on F is an arbitrary 
positive Hermitian operator p G L(F) with trace 1; the set of such operators is denoted by 
D(F). In this case we write 

Pip,M)= Tr(pn^) (8) 

This definition includes the classical probability. Indeed, let 7V1 be the subspace generated by 
the standard vectors |a) : a G M. Let also p = J2aer where /i is a probability 

measure on F. Then P{p,Ai) = P{p,M). Like the classical probability, the quantum prob- 
abihty is additive. Specifically, if and J\f are orthogonal subspaces then P{p, M. © M) = 
P{p, Ml) +P{p,J\f). A generic density operator is said to represent a mixed state of the system, 
while quantum states defined above are called pure. Time evolution of a density operator is 
given by the formula p ^ U pW . 

Let our system consist of two subsystems, A and B, that is F = F^ x F^, where F^ and 
Tb are the classical state sets of the subsystems. Two vectors |^^) G C(Ta), \C,b) ^ C(Tb) 
can be combined to give the vector 

= e c(f^)®c(Fb) = c(F) 
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One can also define tensor product of linear subspaces, linear operators, unitary operators and 
density operators. It is clear that 

P{PA^PB, Ma^Mb) = P{pa,Ma)P{pb,Mb) (9) 

The most striking difference between quantum mechanics and classical mechanics is that a 
quantum state of a whole system can not be generally decomposed into states of subsystems. 
In fact, one can not even define any natural linear mapping C(r) — > C(r^). (That is the reason 
why we have to avoid garbage in computation, see an explanation below). However, a density 
operator p on F can be "projected" onto Ta to give the density operator 

P^ = TtbP= E |a) ( E(«'C|p|6,c)| (6| (10) 

One may pass on to the projection and consider its evolution separately if the subsystem A 
does not interact with B in future. Indeed, 

TTB{iUA^UB)p{UA®UBV) = Ua{Ttbp)U\ P[p,MA®C{rB)) = P{TtbP,Ma) 

Note that the projection of a pure state is generally a mixed state. 

Finally, let us introduce a concept of a quantum variable, or observable.^ Let Qhe a family 
of mutually orthogonal linear subspaces of C(F). Denote by V? the orthogonal complement 
to 0vgo"1^- III this setting, we say that an observable zq is defined. Let p G D(F), V G f2. 
Then the quantity P{p, V) is called the probability of to have the value V. Obviously, 
J2ven Pi.Pi + P{Pi "1^?) = 1- Thus P(p, V?) is the probability that zq has no value. If ^ is a 
predicate on VL (i.e. a function Vt {true, false}) then Probp[^(2;n)] denotes the probability 
of A{zq) being true 

prob,[^(^f,)] = npy) 

For example, Probp[zn = V] = P(p, V). The notation Probp[. . .] is convenient because it 
expresses the intuitive meaning of probability. 

2.4 Quantum computation 
2.4.1 The basic model 

Before giving a formal model of quantum computation, we will describe elementary operations 
with a quantum system which seem feasible from the physical point of view. From now on, we 
assume that F = B^, where A = {1, . . . , i^T} is a memory used in computation. 

Let A = A U -B, where A and B are two disjoint registers. Thus F = F^ x F^, where Va 
and T B are the sets of states of the registers A and B. Let U G U(B"), where n = \A\. As 
far as the Boolean cube B" can be identified with F^, we can define the action U[A] of the 
operator U on the space C(F^). By tensoring with the unit operator 1[B] G U(Fb), we can 
make U[A] to be an operator on the space C(F) corresponding to the whole system. Physical 
implementation of such an operator seems feasible provided the number n is small. 

^ Our definition of an observable slightly differs from the conventional one. 
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For each a E Ta denote by Wa the subspace (|a)) ® C^Tb) C C(r). These subspaces are 
mutually orthogonal. Thus the standard observable za associated with the register A is defined. 
It always have some value a G B", meaning that 0agB" = C(r). Given a quantum state 
|(^), it is possible to measure the value of the observable za-, that is to organize some physical 
procedure which gives a result a with probability P(,^, Wa). For this, it is enough to measure the 
state of the whole memory (the result c G F is obtained with probability -P(^,c) = |(c|^)p) 
and then ignore information contained in the register B. (Certainly, this works for mixed 
states as well). The measurement destroys the quantum state, so it must be done in the end 
of computation. 

We are going to define a quantum model which is similar to general (i.e. garbage-producing) 
sequences of bijective operations. (Reversible quantum computation will be considered later 
on). We assume that computer memory A is a disjoint union of the input register X and an 
auxiliary register W , the output register F C A being arbitrary (|X| = n, |y| = m). Thus a 
classical state of the memory can be denoted as (x, w), where x G = B", w G B'^. 

Definition 3 Let B be a basis of unitary operators, < e < | an arbitrary constant. A 
sequence of operations Ui[Ai], . . . ,Ul[Al] (Ui E B) is said to compute a function F : N 
B™ (A^ C B") with error probability < e if 

Vx G Prob u\x,o) Uy = F{x)] > 1 - e where U = Ul[Al] ■ ■ ■ Ui[Ai] 

The error probability can be made arbitrary small by repeating the computation several 
times. Indeed, let us take k different copies of the memory and do the same computation in 
each of them independently, with the same input x E N. Due to (H), the corresponding outputs 
yi, . . . ,yk may be considered as independent random variables. By definition, the eventual result 
is y if more than a half of all yi are equal to y. The total probability of an error or failure does 
not exceed 'Ej>k/2 ©e-'d - e)^--'' < A^ where A = 2 (e(l - e)^/^ < 1. Within the scope of 
polynomial computation, the error probability can be made as small as exp{— poly{n)), where 
poly is an arbitrary function of polynomial growth. Note that the original choice of the constant 
e is not important; one usually sets e = |- 

Remark. The above procedure can be represented by the formula y = MAJ(?/i, . . . , y^), 
where MAJ is a partial function called the majority function. To make it work, one must be 
able to compute this function in the basis B. This is possible, for example, in the classical basis 

n. 

The choice of the basis. In this paper we use the basis Q = U(B-'^) U {r. A,-}. Note that 
-1 G U(B^), so 7^ C Q. Hence any classical reversible computation can be done in the basis Q. 
Actually, this basis is complete for quantum computation; even its proper subset U(B^) U{r} is 
a complete basis [|I^ . If a blackbox subroutine F is given, we add the operator F^- to the basis.[] 
There is still one problem with our choice: the basis Q is infinite so infinite information is 
needed to specify its element. Fortunately, quantum computation can be done with polynomial 
gate precision (see below). Hence logarithmic number of precision bits is sufficient. 

^ If the is a partial function, the operator _FV is partial. In general, a partial unitary operator is a bijective 
norm-preserving linear operator between two subspaces. 
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2.4.2 Precision 



Precision of a vector |,^) G C(r) can be characterized by means of the usual (Hermitian) norm 



110 II — yi^lO- There are two natural norms on the space of linear operators L(r), the usual 
operator norm 

mow 



sup 



and the trace norm 



\Al, = TrVm = inf E 110)1111(^.11 ■ T.\0){Vj\=A 



\TtAB\ 

sup iipii 
B^O \\B\\ 



The most important properties of these norms are as follows 

\\AB\\ < \\A\\\\B\\ \\AB\\tr, \\BA\\tr < \\B\\\\A\Ur \TtA\ < \\A\Ur (11) 

We say that a unitary operator U represents a unitary operator U with precision 5 if ||?7 — [/|| < 
5. The following lemma shows that errors are simply added through computation but are not 
amplified. 

Lemma 3 Let Ui, . . . , Ul, Hi, . . . ,IJl he unitary operators. If Uj represents Uj with precision 
for j = I, . . . , L then Ul . . .Ui represents Ul ■ ■ - Ui with precision 6i + . . . + 6l- 

Proof. If L = 2 then \\U2U1 - U2Ui\\ < \\{iJ2 - U2)Ui\\ + ||f/2(t/i - f/i) || < \\{U2 - U2)\\ + 
\\Ui — Ui\\, since a unitary operator has the norm 1. The general case follows by induction. □ 

The trace norm || • ||tr is suitable to characterize precision of density operators. Note that if 
1^), \r]) are unit vectors then 



\0{0-\V){V\ , = < 2 \0-\v) 
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Lemma 4 Let Q be a family of mutually orthogonal linear subspaces of C(r). Then for any 
pair of density operators p, 7 

^ |P(p,V)-P(7,V)| < ||p-7l|tr 

Proof. The left hand side of this inequality can be represented as Tr((p — 7)-B), where B = 
J^v^ni^^v)- It is clear that ||-B|| < 1. Then use the norm properties (pT|). □ 

Combining Lemma |^ with the inequality (0) and Lemma ^, we obtain the following 

Lemma 5 Let an operation sequence of length L compute a function with error probability 
< e. // each operation is represented with precision 6 then the resulting error probability does 
not exceed e + 2L6. 

Thus the necessary gate precision is const L~^. Note that classical (non-reversible) computation 
can be simulated without error accumulation, by use of error correcting codes. 

The notion of precision is also applicable to partial operators. Let U and U be partial 
unitary operators on C(T). In other words, U : N ^ M. and U : Af M. are bijective 
linear operators preserving the scalar product, where Af, M.,Af, M. C C(r). We say that the 
operator U represents U with precision 6 if M. C J\A, Af C J\f and \\{U — A)\0\\ < ^IIOII 
any |^) G Af. Note that represents with the same precision. Lemma ^ remains valid 
for partial unitary operators. 
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2.4.3 Reversible quantum computation 

Definition [1| can be extended to tlie quantum case in a straiglitforward way. One can also define 
approximate reversible computation. In view of the above consideration, it is convenient to use 
the language of partial operators. The set of partial unitary operators on C(r) will be denoted 
by U(r). Denote by uo the partial operator |0) ^ |0) on C(B'^) (for any k). Let the memory 
A be the union of two disjoint registers, an input-output register X and an auxiliary register 
W. A state of the memory is denoted as (x, w), where x G B"^, w G B^. 

Definition 4 Let U G U(B"). A sequence of operations Ui[Ai], . . . ,Ul[Al\ is said to rep- 
resent U (with precision 6) if the operator Ul[Al] . . .Ul[Al\ represents the partial operator 
U[X] ® u[W] (with precision S ). 

As in the classical case, a non-reversible quantum computation procedure can be converted 
into a reversible one (see Sec. ^ for more detail). 

2.4.4 Quantum gates with control parameters 

Let U : —>■ Ai {M^M. C C(B")) be a linear operator. Define a new operator A(f/) : 
C(Bi) ®M ^ C(Bi) ®Mhj the formula 

Thus the operator U is applied or not depending on whether an additional control hit^ is equal 
to 1 or 0. For example, A(-i) = r, A(r) = A,-. Another example: 

A(e^") = ( J ) ^ ^) 

(The number e*"^ can be considered as a unitary operator on C(B°)). It is obvious that 

k{uv) = k{u)k{y) K{y-^uv)[i,A] = v-^[a] a{u)[i,a]v[a] (m) 

For a classical operator U, the operator A{U) can be computed by a Boolean circuit in the 
basisCUjf/}. Hence it can be represented in the basis 7?. U {f/, t/^^} (byLemmaH). This does 
not work in the general case. However, the following statement holds. 

Lemma 6 Let U be a (partial) unitary operator on C(B"), such that U\0) = |0). Then the 
operator A{U) can be represented in the basis QU{U} by an operation sequence of length An + 1 , 
the gate U being used only once. 

Proof. Let the input-output register be X = {1} U A, where 1 denotes the control bit. Let 
B be an auxiliary register of size n. The required computation is given by the composition of 
operators 

A(rO[l,A5] A(r„)[l,5,A] U[B] A(r„)[l,5,A] A(r„)[l,A,B] 

□ 

^ Note that in our model the control bit is quantum, as all the other bits. 
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Corollary. For any U G U(B^) the operator A{U) can be represented in the basis Q. 
Indeed, U can be represented as V~^WVe^'^, where W\0) = |0). 

Let us also consider a more general type of control. For any function U : & U(B") we 
define the operator 

A(W) G U(B^ X B") A{U)\a,0 = \a) ^ U{a)\0 (15) 



Lemma 7 Let F : B'^ — > B' be a partial function; U : & —>■ U(B"). Consider two operators, 
T = A{U) G U(B' X B") and Ft = A{U o F) G U(B'^ x B"). // the function F can be 
computed by a Boolean circuit of size L in a basis B then the operator Ft can be represented by 
an operation sequence of length 2L + 1 in the basis Br U {T}, the gate T being used only once. 

(Proof is quite similar to the proof of Lemma |T]). 

As an application of this lemma, we will show how to create an arbitrary unit vector 
\r]) = u\0) + v\l) G C(B^) if u and v are given as control parameters. For simplicity, assume 
that u, f G R, that is m = cos 6', v = sin 9. Then the vector \9,ri) can be obtained from 16*, 0) 
by applying the operator R : \0,C,) \9) (g) Rel^). Here 6^ is a real number represented, with 
some precision, in a binary form; 

^ _ ( cos 9 — sin 6* \ 
^ Y sin6' cos6' j 

Lemma |^ allows to construct the operator R from A{Ro) with 9 = 271 2^* (s = 1, 2, . . .). 
2.4.5 Some other properties of quantum computation 

Simulating classical probability. To simulate classical probabilistic computation, one needs 
to create random bits. Let us take a quantum bit in the state 2~^/^ ^|0) + and copy it to 
another bit by the operator r. (Beware that the operator r copies each classical state entering 
a quantum superposition, not the whole superposition!) Thus we get the two-bit quantum state 
1^) = 2-^/2 i^io^o) + |1,1)). Then discard the copy (or just not use it in computation). This 
situation can be described by transition to a density operator corresponding to the first bit 
only 

P, = 'n.(l#.>{*l) = ( ) 

This density operator corresponds to the classical probability measure /i(0) = /x(l) = |. 

The effect of garbage. Let G : B" B" be a classical operator to be used in quantum 
computation. Assume that the operator G is computed by a sequence of bijective operations. 
We are to show that the operator G must be computed without garbage, otherwise quantum 
coherence will be destroyed. Suppose that garbage is produced. Then G is actually represented 
by an operator U : (a;, 0) ^ {G{x), g{x)) on the total set of memory states. The operator U 
transforms a quantum state |^) = J2xCx\x) into the state lip) = J2x Cx \G{x), g{x)). As far as 
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the garbage is ignored, we should take the trace with respect to the second variable. Thus we 
get the density operator 

P= E clcy\G{x)){G{y)\ 

If the garbage g{x) is the same for all x then p = G'|^)(^|G'^, so the operator U does what it is 
supposed to do. Now consider the worst case: different inputs produce different garbage. Then 
the density operator p = J^x l^xl"^ is classical; it could be obtained if we first 

measured the value of x and then applied G in a classical way. We conclude that a classical 
operator can not be used in an essentially quantum way unless it is computed reversibly. 

3 Quantum measurements 

One of the physical assumptions, underlying the formal model of quantum computation, is the 
possibility to measure the classical state of the memory. Such measurement is a specific type of 
interaction between the quantum computer and an external physical device. Description of the 
measurement procedure is beyond the scope of our formal analysis. However, we can formally 
define and study another type of measurement in which one part of the computer works as a 
device measuring the state of another part. We will see that such measurement obeys the usual 
laws of conditional probability. So, if subsystems Ai,A2,... measure each other in sequence, 
this process can be simulated by a Markov chain. This fact is very important for understanding 
the probabilistic interpretation of quantum mechanics in physical context. We may believe that 
the chain of measurements extends beyond the system in study, and the last measurement done 
by an external device is of the same type. Except for this philosophical remark, we will use 
quantum measurements as a concrete tool for developing quantum algorithms. 

Definition 5 Let A and D he two disjoint registers, Q a family of mutually orthogonal sub- 
spaces of C(B^). Set M = ©ven V. 

1. A measurement operator for the observable zq, is a linear operator of the form 

U = ^nv®t/v : AA® C(B^) ^ A/'®C(B^) 

where are arbitrary unitary operators on C(B''^). 

2. A measurement operator U together with a register C C. D is called a measurement with 
result zq- Let \C\ = m. Denote by Wy the subspace of C(B^) corresponding to the 
situation zc = y, i-c. Wy = {\y)) ® C(B^\*"). The numbers 

Pu,c{^,y) = P(c/v|0), W,) (VeQ, yeB-) 

are called the conditional probabilities for the measurement {U, C). 

3. A measurement {U, C) is said to measure the value of a function F : Q — > B"* with error 
probability < e if Pu^cO^, ^0^)) ^ 1 ~ ^ foi^ every V G Jl. 
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For example, the operator TnJA, is a measurement for the observable za- Any quantum 
computation (see Definition |^) can be organized as a measurement with respect to its input. 
For this, it suffice to copy the input by the operator r„ and use the copy instead of the original. 
Alternatively, one can use the bits of the input as control parameters, e.g. in operators A(f/). 

Important example. Let t/ be a unitary operator on a subspace M C C(B"). The eigen- 
values of this operator have the form A(0) = exp(27ri0), where is a real number (mod 1). 
Denote by £{U, 0) the corresponding eigenspaces. Without risk of confusion, the corresponding 
observable may be denoted simply by 0. 

Let the operator U act on a register A. Denote by 1 an additional bit and introduce the 
matrix 

-;^(;-;) 

Then the operator 

S(f/)[A1] = S[l] A(f/)[1,A] S[l] (16) 

is a measurement operator for the observable 0. If |^) G S{U,(f)) then E{U)\C,,0) = \^,ri), 
where 

= Hi -0 (o M0)) (1 -0 (o) ^ (i(i-A(0))) 

Hence the conditional probabilities Ph(;7)(05 2/) = Pe{u)IA,i], i{£{U, (t>),y) are as follows 

Ph(ci)(0,O) = ^(l + cos(27r0)) Ps(c/)(0,1) = ^(l - cos(27r0)) (17) 

General properties of measurement operators and measurements are quite simple. Let us 
fix a register A and a family fl of mutually orthogonal subspaces in C(B^). Set Af = 0VGf7 V. 
We will consider measurement operators for the same observable Zn with different additional 
registers D. 

Lemma 8 



1. Let {U,C) be a measurement with an additional register D ^ C. Then for any quant 
state 1^) G A/" the composite probability formula holds 



'um 



PTohuii,o)[zc = y] = Pi\0,y) Pu,c{^,y) (18) 



ven 



2. The product of several measurements operators is a measurement operator. Measurement 
operators with disjoint additional registers commute. 

3. Let {W, C) and {U", C") be measurements with disjoint additional registers D' 3 C and 
D"DC". Set U = U'U", C = C'UC". Then 

Pu,c{v,{y'y)) = Pu'M^^y') Pu",c"{V,y") (19) 
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Proof. 

1. It is clear that U\^,0) = Even'^vU\^,0). Hence 



Prob u\m 



zc = y 



This gives the right hand side of eq. (|T8|) . 

2. It follows from the definition. 

3. It follows from the general property of quantum probability (^. 
□ 

Now let us return to the example considered above. Suppose that the measurement operator 
is applied s times to the same register A and different additional bits 1, . . . , s. Then one 
can measure the values zi, . . . ,Zs of these bits and count how many I's are contained in the 
resulting sequence of O's and I's. Denote this count by y. Thus a new measurement Es{U) is 
defined, the number y being its result. Since zi, . . . ,Zs behave as independent random variables, 
y/s is most likely close to Pe{u){4>^ !)• More exactly, for any given constant 6 > 

Fioh[\y/s- Psiu)i<PA)\ > S] < 2 exp(-c((5) s) 

where c{6) > 0. Thus we measure the quantity P-e{u){4'i ^) ~ \ {}-~ cos(27r0)^ with precision 6 
and error probability < exp(— c(5) s). If we substitute iU for U then cos(27r0) will change to 
— sin(27r0). So we can measure both cos(27r0) and sin(27r(/)); this information is enough to find 
(f). We have proved the following 

Lemma 9 Let 6 > be a constant. For any e > 0, the value of the observable can be mea- 
sured with precision 6 and error probability < e by an operation sequence of length 0(log(l/e)) 
zn the basis Q U {A{U)}. 

Unfortunately, it is difficult to measure (p with arbitrary precision because the cost of mea- 
surement (i.e. the length of the operation sequence) grows polynomially in 6. However, the 
situation is different if we have in our disposal the operators A(f/^) for all k. More specifically, 
consider the operator 

: C({0,...,r})®Ar ^ C({0,...,r})®Ar |a, ^ = |a) ® f/'^IO (20) 

where r = 2' — 1. (Note that the set {0,...,2' — 1} can be naturally identified with B'). 
By Lemma 0, the operators A(u'^^^ (j = 0, — 1) can be represented in terms of f/[°'''l 
It takes 0(log(//e)) operation to localize each of the numbers 2^(f) (mod 1) in one of the 8 
intervals (s = 0, . . . , 7) with error probability < e/l. Using this information, one 

can find (by a polynomial algorithm) the value of (p with precision |2^^'^^) = 2^'^^ and error 
probability < e. We have obtained the following result 

Lemma 10 Let I be a positive integer; r = 2' — 1. For any e > 0, the value of the observable 
(f) can be measured with precision 2^'^^ and error probability < e by an operation sequence 
of length 0(1 log(//e)) + poly{l) m the basis Q U {f/lO'^'l}. (The gate [/[o-'^l is used at most 
Oil log(//e)) times). 
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Now consider an important particular case: U is a permutation on a subset N C B". 
Corresponding to each cycle of the permutation are eigenvalues of the form exp(27ri|), where q 
is the length of the cycle. Hence the values of are rational numbers with denominators < 2". 
The minimal separation between such numbers is (2^ {2^ ~ ^"^^ ' Consequently, the exact 
value of (j) can be found by measuring it with precision 2~^"^^. Moreover, the transition from 
the measured value to the exact one can be performed in polynomial time, using continuous 
fractions. What follows is a brief proof of this claim. 

Suppose that the measurement produced a number 0' = p'/q' {0 < p' < q' = 2^"+^), such 
that 10' — 01 < 2"^""-*^ (mod 1). It is easy to check whether = 0, so we will assume that 
7^ 0. Thus 4> = p/q, where p and q are mutually prime, < j9 < g < 2". Let us define a 
sequence of positive integers (fci, . . . , ks) which can be obtained by applying Euclid's algorithm 
to the pair {q,p) 

Qj-i = kjqj + qj+i, < qj+i < qj (j = l,...,s) 



qo = q qi = p qs = g.c.d.(g,p) = i = o 

Since q and p are not known, we can not compute ki, . . . ,ks directly. Instead of that, we can 
apply Euclid's algorithm to the pair {q',p') to get a sequence {k[, . . . , k'^,). It is easy to show 
that 

' <^<^ + T. = 1.....^) 



qj^i 2g2_^ q'. q.^^ {2q^^i - 1/qj) qj.i 



kj — kj (j — 1, . . . , s 1) kg — kg or k^ — kg 1, ^^^i — 1 

It follows that p/q = CF(0, k[, . . . , k'^) or p/q = CF(0, k[, k'^^^), where 

CF(m) = m, CF(mo,mi, . . .) = mo + r 

CF(mi, . . .) 

To find (f) = p/q, we can compute the numbers 0j = CF{0, k[, . . . , k'j) (j = 1,2...) until 
10' ~ 0il < 2~^"~-^. Then = 0j. We have proved the following 

Theorem 1 Let U be a permutation on a set N C B". Then the value of the corresponding 
observable can be measured exactly with error probability < e by an operation sequence of 
length poly{n) + 0(n) log(l/e) in the basis Q U {f/[°'^ (The gate f/[°'^ is used at most 
0(n log(n/e)) times). 



4 Quantum algorithm for the ASP 

Let {k,n,a,F) be an instance of the ASP, Stir(a) = {(7 G Z'^ : F{g,a) = a} its solution. 
Consider two finite Abelian groups| 

E = ZVStF(a) H = Hom(E,T) C Hom(Z^ T) = T'^ 

^ The group H is called the group of characters on E. 
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where T = R/Z is the group of real numbers modulo 1. Every element h of the group H 
can be represented by k rational numbers (mod 1) 01, . . . , 0^ G T with common denominator 
q = \E\ = \H\ < 2". More specifically, (f)j = {hj, Vj), where {■,■): H x E ^ T is the natural 
bilinear mapping, Vi, . . . ,Vk € E are the images of the basis elements gi, . . . , Qk & Z'^ ■ It is 
clear that computing Stir(a) is polynomially equivalent to finding H. (To find H means to find 
a polynomial subset of T*^ that generates this group). We are going to show how to generate 
a random element of H using Theorem |l| (cf. [jlO|)- The group H itself can be generated by 
sufficiently many random elements. 

Consider the orbit = {E{g,a) : g G Z'^} C B". Obviously, F{g,a) depends only on the 
image of g in the factor-group E, so we may use the notation g{a) {g ^ E). Elements of the 
group E may be regarded as permutations on the set N. The following vectors are eigenvectors 
for all the operators U E E 

\^h) = ^ E exp(2m{h,g)) \g{a)) {h G H) (21) 

These vectors form an orthonormal basis of C(A^) called the Fourier basis. The corresponding 
eigenvalues are XhiU) = exp{—27ii{h,U)). In particular, if /z = (0i,...,0fc) then XhiVj) = 
exp(— 27ri0j) {j = 1, . . . ,k). Theorem || says that we can measure h with error probability 
< ke by an operation sequence of length k(j)oly{n) + 0{n) log(l/e)j in the basis Q U {G\o{n)}- 
(The operator G was defined in eq. (^). 

Now a new trick comes. Prepare the classical state 

|a) = ^ E I'^h) 



and measure h. By the composite probability formula (|T8[), the probability to obtain a given 
value of h is P{h) = J^h'eH , h), where h' stands for the actual value of the measured 
observable; P{h', h) > 1 — ke. Hence 

q-^\L\{l-ke) < Prob [/i G L] < q''^\L\ + ke for any L C 

Thus we can generate a random element of H with almost uniform distribution. 

Let hi, . . . ,hi G be independent random elements generated this way. We are to show 
that they generate H almost certainly, provided / is large enough. 

All the elements hi, . . . ,hi belong to H with probability > 1 — kle. Suppose that they belong 
to H but do not generate H. Then hi, . . . ,hi G L, where L is a maximal proper subgroup of 

H. For a given L, the probability of this event does not exceed (^Prob [h G L]j < (| + ke^ . 
Maximal proper subgroups of H are in 1-to-l correspondence with minimal nonzero subgroups 
of E. The number of such subgroups is less than |£^| < 2"'. Hence the overall probability for 
hi, . . . ,hi not to generate H is less than kle + 2"'~'(1 + 2fce)'. (The first term corresponds 
to the possibility {hi, . . . , hi} ^ H while the second one accumulates contributions from all 
the subgroups L). Setting I = n + 4, e = {6kl)~^ guarantees that the random elements 
hi, . . . ,hi eT^ generate H with probability > |. 

Thus the whole computation is organized as follows. We take I = n + A registers and 
prepare the initial state \a) in each of them. Then we do 0{kn \og{kn)) elementary mea- 
surements 

^iyr) {I < s <2n) with each register. The results of these measurements are 
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processed in a classical way, which gives hi, . . . ,hi and, eventually, the canonical basis of the 
stabilizer (with error probability < |). Through this computation, the blackbox subroutine F 
is invoked 0(fcn^ log(fcn)) times for inputs of size 0{n). We emphasize that our procedure is 
uniform, meaning that not only the operation sequence has length poly{k + n) but also it can 
be constructed in time poly{k + n) by a classical Turing machine. 

5 How to make quantum computation reversible? 

In this section we will show that any quantum computation or quantum measurement can 
be performed reversibly, i.e. without producing garbage. This allows to use quantum algo- 
rithms as subroutines for other algorithms in a non-classical way. In particular, the eigenvalue 
measurement procedure can be used for the quantum Fourier transform (QFT). 

We start with generalizing the definition of quantum computation (Definition Let Q and 
B be families of mutually orthogonal subspaces in C(B") and C(B'"), respectively. We are 
going to define quantum computation for functions of type F : Q ^ Q. As usually, computer's 
memory A contains an input register X of size n and an output register Y of size m. Elements 
V e r2, W G 6 may be regarded as linear subspaces of C(B"^) and C(B^), respectively. We 
will not make distinctions between V and V®(|0a\x))5 as well as between W and >V(8>C(B^\-*^). 
In other words, all the bits from A\X are initially set to 0, while all the bits from A\Y are 
ignored in the end. 

Definition 6 A unitary operator U G U(B^) (usually represented by an operation sequence) 
is said to compute a function F : Q ^ Q with error probability < e if 

WlOeVeQ p{u\0,F{V)) > l-e 

Now we are in position to formulate an extension of Lemma |^ which itself can be viewed as 
a generalization of Lemma 0. In the above setting, let T = Z^wee nw^w be a measurement 
operator for the observable zq with an additional register D. Consider the operator Ft = 
J2ven ^vTf{v) acting on the space M <S) C(B'^), where Af = 0VGf7 ^- This is a measurement 
operator for the observable zq. For applications, it is enough to consider functions of type 
F : Q —>■ B™ and take the operator for T. In this case the operator Fj- = F^^^ (or simply F^-) 
measures the value of the function F without producing any garbage. Note that for classical 
functions F (of type N — >■ B™, where N C B") the notation Fr coincides with the notation 
from Sec. pl^ . 

Theorem 2 Let a unitary operator U compute a function F : Q <d with error probability 
< e. Let also T be a measurement operator for the observable zq. Then the operator U^^TU 

represents the operator F^ with precision 2\\VL\e\ 

Proof. Let |^) G A/"® C(B^) be a unit vector. It can be represented as Svef^ ^vICv)) where 
G V ® C(B^) are unit vectors, cy > are real numbers. Note that SvenCy = 1, hence 
SvefiCv < ll^l^^^- Represent each vector ?7|^v) as |Cv) + l^v), where |Cv) = '^F{v)U\iv) ^ 
F(V)®C(B^). Then (CvlCv) = P{u\iv) . F^)) > 1 - e, hence ||^v|| < v^- 
By the definition of the operator T, T|^v) = ^f(v)ICv), hence 

\J-^TU = T^(V)lev) + U~\T - 1) l^v) 



20 



The norm of the last term does not exceed 1\fi. Summation over all V G i7 gives the desired 
result. □ 

An interesting application of this theorem is a polynomial QFT algorithm for an arbitrary 
finite Abelian group G. W. 1. o. g. we may take G to be a cyclic group Z^. (Transition to 
a direct product of cyclic groups is straightforward). Let q < 2", where n is a constant. We 
identify Zg with the set {0, . . . , g — 1} C B". Our purpose is to represent the QFT operator 
y,GU({0,...,g-l}) 

V,\a) = = E exp (27,^-] \b) (22) 

6=0 \ 1 / 

by an operation sequence in the basis Q. We can also consider g as a control parameter and 
construct a representation for the operator V : |g, ^) i— |g) ® Vq\^). 

The vectors \ipq,a) are eigenvectors of the cyclic permutation \a) ^ |(a + 1) mod q). The 
corresponding eigenvalues are Xq^a = exp(^—2TTi{a/q)^. By Theorem |l|, we can measure the 
value of a. Theorem ^ allows us to perform this measurement reversibly, that is to represent 
the following partial operator on C(B" x B") 

Qq\ijq,a,0) = \'ipq,a, a) (o = 0, . . . , g - 1) (23) 

The QFT operator Vq can be constructed from the operator Qq and another operator Tq which 
creates the vector iV'g.a) for a given value of a 

Tq\a,0) = |a, V'^.a) (a = 0,...,g-l) (24) 

This construction is quite similar to that used in the proof of Lemma |^. Let X and Y be two 
disjoint registers of size n. Then|^ 

Vq[X] ®u[Y] = {Qq[X,Y]y' Tq[Y,X] T^[Y,X] T„.[X,Y] (25) 

Indeed, |a, 0) t— > \a,a) i-^ |0,a) ^— \ipg^a,ci) ^ \4'g,a,0)- 
It is obvious that Tq\a,0) = Uq\a,iljq^Q), where 

Uq\a,b) = exp(27ri{ab/q)^ \a,b) 

The operator f/q can be easily constructed from A l^e^'^*^"/''^ , with s = 0, . . . ,n—l (byLemma^. 
Thus the only remaining task is to create the vector \ipqfi)- For this, we have to regard q as 
a variable. Our procedure is recursive. For simplicity, assume that 2"^^ < g < 2". At the 
first step, the machine sets the first bit to the quantum state (go/g)^^^|0) + (gi/g)^^^|l), where 
go = 2"-~^, gi = g — go- Then it looks at the value x of this bit and creates the vector I'lpq^fi) 
in the remaning n — 1 bits. The result will be equal to lipgfi)- 
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^° Recall that lu is the partial operator which maps the vector |0) to itself. 
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